CZECH REPUBLIC Law and Practice Contributed by: Ondřej Mikula, Jan Šovar and Markéta Klabouchová, FINREG PARTNERS
For this reason, credit institutions and other payment service providers are both subject to strict technical security and data protection requirements imposed by PSD2 and the GDPR. For example, the processing of personal data under PSD2 requires explicit customer consent. In addition, credit institutions and payment ser - vice providers must now comply with DORA requirements regarding the security of their ICT systems and contractual arrangements with ICT third-party service providers, including provid - ers of payment processing activities or operating payment infrastructures. Compliance with strict DORA requirements such as effective ICT risk management and advanced ICT testing should help them cope with any privacy and security concerns and ensure their technological safety. Although the number of attacks on banks and their clients is still growing, according to data from the Czech Banking Association (the “CBA” ), banks are increasingly succeeding in detecting fraud before the actual outflow of money occurs, and at the same time, as a result of improving defence mechanisms, the average damage is also decreasing. The most commonly used forms of fraud in the Czech Republic are phishing, smishing via SMS messages or emails that are supposed to look like legitimate communications from the respec - tive institution/authority and vishing via fraudu - lent phone calls. In the case of phishing, the vic - tims click through to fraudulent websites, where they most often enter their log-in details, thereby revealing them to the fraudsters, who then carry out fraudulent transactions themselves. 12. Fraud 12.1 Elements of Fraud
In the event of vishing, the caller impersonates, for example, a police officer or a bank employee, and manipulates the victim into taking actions that enable the fraud to be carried out (eg, dis - closing data or installing a spying application). In this type of case, the number may mimic the number of the calling institution/authority (so- called “spoofing” ). The sole purpose of these scams is to obtain sensitive data and misuse it. Fraudsters’ practic - es are becoming more sophisticated as they use new manipulative techniques to target victims and continually innovate their forms of attack. At the same time, victims provide unwitting co- operation (eg, through online activity that leaves a digital trail which fraudsters can use to target their attack better), making attacks easier. 12.2 Areas of Regulatory Focus The regulator’s focus is generally on online fraud, in particular payment fraud (eg, fraud mentioned in 12.1 Elements of Fraud ) and investment fraud (eg, fraudulent investment offers promising high returns). Due to their repetitive nature, the CNB often warns of fraud through fraudulent messages, emails and phone calls, including calls where the attackers impersonate employees of the CNB. However, given the rise of strong customer iden - tification impersonation scams, the CNB has recently focused on this type of fraud as well. As well as online posts with descriptions of fraudulent schemes and practical advice on how to defend against them, the CNB also reg - ularly publishes warnings about entities provid - ing regulated services without the appropriate authorisation.
197 CHAMBERS.COM
Powered by FlippingBook